
"•4 

ri 



m 



n 



'2 
3 
4 
5 
6 
7 

1 

2 
3 
4 
5 
6 



9 
10 



CLAIMS 

What is claimed is: 

1. A method of authenticating a client, the method comprising: 
receiving a Record ID for a user, and a one-time key generated by the 

server and encrypted with a user's public key by the server; 

receiving the user's authentication data from the client; 
determining if the user's authentication data matches the record ID; and 
if so, decrypting the one-time key with the user's private key, and 
returning the decrypted one-time key to the client. 

2. The method of claim 1, further comprising registering the user, 
registering comprising: 

receiving a registration authentication data from the user; 
generating a random public key/private key pair for the user; 
generating a random record ID for the user; and 

associating the a Lithentication data and the private key with the record ID. 



7 3. The methc d of claim 2, further comprising: 

8 sending the recorptlD and the public key to the user. 



4. 



The metho 



pf claim 2, further comprising establishing a secure 



connection with the user! prior to receiving registration authentication data. 
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5. The method of claim i, wherein a web page presented by the server 



to the client prompts the user to en 
server. 



1 6. The method of claim 

2 automatically redirected to the autr 



er the authentication data to log in to the 



, wherein the client's authentication data is 
entication server. 



1 7. The method of claim J, wherein the authentication data is biometric 

2 data. 



Q 



1 8. The method of claim 1, wherein the authentication data is personal 

2 data selected from among the folpwing: a password, a smart card, and another 

3 type of authentication card. 
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9. The method of claim 1, wherein the client forwards the decrypted 



one-time key to the server, ther 
private key. 



?by authenticating the user as the owner of the 



1 10. The method of claim 1, further comprising discarding the record ID 

2 after returning the one-time ke y to the user. 

1 11. The method of daim 1, wherein the record ID and the encrypted 

2 one-time key are further encrypted using a partner key, the method further 

3 comprising decrypting the record ID and encrypted one-time key using the 

4 partner key. 
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12. The method of dai nil, wherein the partner key is a symmetric 



2 key set up during registration of 



the partner. 



1 13. The method of claijm 11, wherein the partner key is a private key of 

2 the authentication server. 



14. A method of using) a third party authentication server to 
authenticate a user to a server, the method comprising: 

looking up a record ID associated with the user; 
generating a one-time k&y and encrypting the one-time key with a public 
key of the user, and sending thp encrypted one-time key and the record ID to the 
user; 

receiving authentication data, the authentication data being the decrypted 
one-time key; and 

permitting access to tht server. 

15. The method of claim 14, comprising: 

determining an authentication policy associated with the user; and 
verifying that the authentication policy has been satisfied, prior to 
permitting access to the server. 

16. The method o : claim 15, wherein verifying that the authentication 
policy has been satisfied co nprises: 

determining if the se rver should verify additional data; and 
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4 if so, requesting additional data from the user prior to generating the one- 

5 time key. 

1 17. A third-party authentication system comprising: 

2 an authentication server to receive a record ID for a user, and a one-time 

3 key generated by the server and encrypted with a user's public key by the server; 

4 a comparison logic tcj receive user authentication data from the client and 

5 comparing whether the users authentication data matches the record ID; and 

6 a decryption logic to/decrypt the one-time key with a private key 

7 associated with the validated record ID, and returning the decrypted one-time 

8 key to the client. 
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1 18. The system <£>f claim 17, further comprising: 

2 a policy validation/logic to receive a policy from the server, and determine 

3 if the policy has been fulfilled; and 

4 the decryption logic to decrypt the one-time key only if the policy has 

5 been fulfilled. 

1 19. The system of claim 17, further comprising: 

2 a nonce generation logic to generate a nonce, the nonce to be included 

3 with the user authentication data from the client; and 

4 the comparison/logic to verify that the user authentication data includes 

5 the appropriate nonce. 
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1 20. The system of clai m 17, further comprising a client registration 

2 logic to register the user, the cl] ent registration logic comprising: 

3 a key generation logic td generate a random public key/ private key pair 

4 for the user; 

a record ID generation lfcgic to generate a random record ID for the user; 



6 and 



8 private key and the record ID. 



1 21. The system of 

2 the interface to send the 



the client registration lo; $jc to associate user authentication data with the 



claim 18, further comprising: 

record ID and the public key to the user. 



1 22. The system of claim 19, wherein the interface establish a secure 

2 connection with the user, pric r to receiving registration authentication data. 



23. The system of i 



aim 17, wherein a web page presented by the 

2 server to the client prompts the user to enter the authentication data to log in to 

3 the server. 



1 24. The system of/claim 23, wherein the client's authentication data is 

2 automatically redirected to/the authentication server. 



1 25. The system 

2 biometric data. 



f claim 17, wherein the authentication data is 
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1 26. The system of cla 

2 data selected from among the 

3 type of authentication card. 



m 17, wherein the authentication data is personal 
llowing: a password, a smart card, and another 



1 27. The system of claim 17, wherein the client forwards the decrypted 

2 one-time key to the server, thjereby authenticating the user as the owner of the 

3 private key. 

1 28. The system of tlaim 17, further comprising a security mechanism to 

2 discard the record ID after returning the one-time key to the user. 



1 29. The system of claim 17, wherein the decryption logic further 

2 decrypts the record ID and the encrypted one-time key with a partner key. 

1 30. The system/of claim 29, wherein the partner key is a symmetric key 

2 set up during registration of the partner. 



1 31. The system of claim 29, wherein the partner key is a private key of 

2 the authentication serv/er. 
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